Summary
SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggering the notification.
This allows a record or guest user with permissions to run live query subscriptions on a table to observe unauthorised records within the same table, when another user is altering or deleting these records, bypassing access controls.
Workarounds
Assess the impact of users with permissions on table records effectively having full read access to the table, use separate tables if required, with impacts to functionality.
Impact
A record or guest user with permissions to run live query subscriptions on a table is able to observe unauthorised records within the same table, with unauthorised records returned when deleted, or when records matching the WHERE conditions are created, updated, or deleted, by another user. This impacts confidentiality, limited to the table the attacker has access to, and with the data disclosed dependent of the actions taken by other users.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
A patch has been created for the following versions:
- Versions 2.1.9, 2.2.8 and 2.3.8 and later are not affected by this issue.
- The first release following v3.0.0-alpha.7 will be patched.
Frequently Asked Questions
- What is CVE-2025-11060? CVE-2025-11060 is a medium-severity incorrect authorization vulnerability in SurrealDB (rust), affecting versions >= 2.3.0, < 2.3.8. It is fixed in 2.3.8, 2.2.8, 2.1.9, 3.0.0-alpha.8. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- Which versions of SurrealDB are affected by CVE-2025-11060? SurrealDB (rust) versions >= 2.3.0, < 2.3.8 is affected.
- Is there a fix for CVE-2025-11060? Yes. CVE-2025-11060 is fixed in 2.3.8, 2.2.8, 2.1.9, 3.0.0-alpha.8. Upgrade to this version or later.
- Is CVE-2025-11060 exploitable, and should I be worried? Whether CVE-2025-11060 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-11060 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-11060?
- Upgrade
SurrealDBto 2.3.8 or later - Upgrade
SurrealDBto 2.2.8 or later - Upgrade
SurrealDBto 2.1.9 or later - Upgrade
SurrealDBto 3.0.0-alpha.8 or later
- Upgrade